Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Risk Vulnerability Assesment for list_storage_passwords

Mitch_TA_Debug
Explorer
‎03-19-2025 06:08 AM

Does anyone know of a risk assessment done for apps like the Cisco SNA addon Cisco Secure Network Analytics (Stealthwatch) App for Splunk Enterprise | Splunkbase that require all users to have list_storage_passwords capability? 

Does this capability mean that users (once authenticated) could craft a request that would provide them with a sensitive password in plaintext?

Thanks

Labels (1)
Labels
0 Karma
Reply

effem
Communicator
‎03-25-2025 06:23 AM

list_storage_passwords is a capability. That means users with a role providing this capability will be able to show credentials in the credential-store for any app, where the have read-access to the credential-store.

In example.

If the app has this metadata/default.meta:

[]
access = read : [*], write : [admin]

Anyone can read the passwords/credentials in this app, if the user has the "list_storage_passwords" capability.


If an app has this default.meta

[]
access = read : [*], write : [admin]

[passwords]
access = read : [ trustworthy_role, admin ], write [admin]

Only users with the trustworthy role can see the credentials.

Make sure you restrict app-access to the people which need the access. That way you can give list_storage_credentials to roles with the risk of having people access credentials, which they are not supposed to access. 

You can also set the read/write access more granulary with [passwords/credential%3Arealmname%3Ausername%3A]

Read more here: https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/secretstorage/secretstoragerbac

 

0 Karma
Reply

Mitch_TA_Debug
Explorer
‎03-25-2025 12:17 PM

Thanks for the insight. Does this also mean that, once authenticated with hypothetically stolen account credentials, an attacker could retrieve plaintext passwords simply with REST commands?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-14-2025 07:13 AM

1. Normally a non-admin user should not have this capability. This is normally used for maintaining credentials which are used for third party integrations (modular inputs, custom alert actions).

2. This works for credentials managed in the official Splunk way. If - for some reason - an addon developer decided to do something "their own way" (for example - decided that for each run of an input, it will pull credentials from a github project; no, that's not a real example but nothing is forbidding an addon author from inventing anything, no matter how stupid), that will most probably not be limited by this capability.

3. Obviously if there are credentials for access stored for use in automated way, you should have additional controls implemented on the destination system mitigating risk of abuse of those credentials. Their use of course should based on the rule of least required privilege and ideally they should be limited per IP. At the very least, if there is no other way, their use in the destination system should be monitored and reviewed regularly.

0 Karma
Reply

effem
Communicator
‎05-14-2025 01:48 AM
Thats correct. Hence its important to secure your Splunk environment properly.
Use MFA and SAML in example.
For more:
https://docs.splunk.com/Documentation/Splunk/latest/Security/WhatyoucansecurewithSplunk
0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...